Insulin Pump Hacking: Sensationalism or Legitimate Threat?

Of course, the motive to do so would be strange, to say the least. But after episodes such as the Tylenol scare in the 1980s and widespread, seemingly pointless hacking episodes over the years, it doesn’t hurt for manufactures to be careful in protecting their customers.

Because of the attention this issue has been getting over the years, it wasn’t much of a surprise when Jay Radcliffe, gave a presentation at the Black Hat security conference held in Las Vegas, explaining that it was possible to hack insulin pumps. Radcliffe, a security researcher who is also diabetic, successfully hacked his own insulin pump. "On stage at the conference I remotely disabled the insulin pump," Radcliffe explains. "I am able to alter any configuration setting on the pump without the user of the device being notified as well." After he gave the presentation, Radcliffe later informed the AP of the story.

Although this isn't the first time that the issue of hacking has been raised in a medical device context, it did get more attention than it has in years' past—garnering notice from diabetics with insulin pumps (and others) who happen to be bloggers. And from others. Some of the comments that stood out include the following (I don't necessarily endorse the content of these sources):

"Hackers can kill Diabetics with Insulin Pumps from a half mile away - Um, no. Facts vs. Journalistic Fear mongering"
"Even the human bloodstream isn't safe from computer hackers."
"Hacked: Jay Radcliffe, Insulin Pumps, and Diabetes Sensationalism."
"OMG!!! What next?????"
"In a dramatic Black Hat presentation like some kind of insulin Al Qaeda, security researcher Jay Radcliffe explains how an attacker in the cyber world could launch a wireless hack up to a half mile away from a victim, to remotely control an insulin pump and potentially kill a person in the real world." (Computerworld)

In the past, when hacking of medical devices was discussed, the context was generally something along the lines of “it’s a remote possibility, but it’s still something to consider and to work towards preventing.” That was the context of the Technology Review’s coverage back in 2009:

Could implanted medical devices that use wireless communication, such as pacemakers, be maliciously hacked to threaten patients' lives? Kevin Fu is no stranger to such overblown scenarios based on his research, though he prefers to stick to talking about technical details. But Fu, a software engineer and assistant professor of computer science, is a security guy. And security people think differently.

That quote neatly sums out both sides of the issue: It's a problem worthy of consideration, but not something people with insulin pumps (or other life-preserving devices) should waste much time worrying about.

A PR director from Medtronic’s insulin pump subsidiary MiniMed Inc. wrote the following on diabetes social media site TuDiabetes.org: “To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.”

The drive behind it was to convince manufacturers of insulin pumps to consider the topic. As Radcliffe explains on Six Until Me:

"And vendors need to know about these vulnerabilities. Is it deterring from actual diabetes cure research? I don't think so, but if it is, people can't be mad at me for bringing the issue up. If you want your insulin pumps to be safer, I have to do this. I'm sorry if it makes people upset, but I'm doing this as ethically as possible. I didn't disclose the brand of device that I wear, and I kept the company protected to the best of my ability."??

So, I'm left wondering, how successful can a tactic like this be—describing a problem like this at a hacking conference? If Radcliffe's target audience was device manufacturers, is there a better way to get their attention? Radcliffe spoke to this point by acknowledging that some diabetic bloggers are critical of his actions because the fear generated by this publicity could result in an increase in time FDA takes to approve devices.

But Radcliffe's aim here is to simply bring attention to the issue. "Fifteen years ago, when we did research on vulnerabilities in computer networks, we were ignored," he says. "They said that the risks were too small, and the 'Internet' was only used for universities sharing scientific research data. It's now the backbone of the economy handling almost all of our financial data transactions and commerce," he adds. "While there is very little risk to the individual insulin pump user, the fact we have insecure embedded computers responsible for critical health functions should give pause to everyone involved. We hold banks responsible for security of a $10 online purchase, but we'll give medical device makers a free pass on not securing the devices responsible for our health or even our lives? When we spend upwards of $6000 for a medical device I think we deserve to have that device be secure."

—Brian Buntz

Note: This blog post was edited after it was initally posted. Quotes from Jay Radcliffe were added and an inaccuracy regarding his hacking of the insulin pump was corrected.

Comments

Plain text